Massive hack blows crater in Sony brand

NEW YORK (CNNMoney) -- It's been a nightmarish three weeks for Sony, as it struggles to recover from massive hack attacks on three separate gaming systems it runs. Not only are the PlayStation, Qriocity and Sony online gaming networks still offline, but tens of millions of credit card numbers may have been stolen.

Gamers are irate as Sony (SNE) works to get its systems back online -- and their patience is running out, according to Brian Crecente, editor of gaming blog Kotaku.

"The theme that's bubbling up among our commenters is that they'll be much happier if things are solved today rather than tomorrow," Crecente says.

But Sony's timetable for a fix has grown longer in the weeks since the breaches first came to light.

What's been hacked: Sony disclosed the first hack on April 22, saying that an "external intrusion" on its systems between April 17 and 19 affected its PlayStation Network and its media streaming service Qriocity. It pulled the plug on both services on April 20. They remain offline.

Then, on April 27, Sony announced that personal information and perhaps credit card numbers had been stolen in the PlayStation Network and Qriocity breaches. That put sensitive details at risk for a whopping 77 million customers.

"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," Sony wrote on its blog.

On May 2, things got even worse. Another division, Sony Online Entertainment, took its Web services offline after revealing that hackers also gained access to its databases of subscriber information.

Sony Online Entertainment makes online multiplayer games for computers and the PlayStation 3, including the extremely popular EverQuest franchise. A company representative says that personal information -- but not financial details --- from approximately 25 million accounts may have been stolen.

Hackers may have also obtained financial information for international users from an outdated database from 2007, spokeswoman Michele Sturdivant says. That includes 12,700 non-U.S. credit or debit card numbers and expiration dates, as well as 10,700 direct debit records for customers in Austria, Germany, Netherlands and Spain.

Sturdivant says the online division is "working around the clock to ensure this is taken care of as soon as possible."

Public reaction: Sony may be piling its resources into a fix, but gamers are frustrated that the company took so long to warn them about the potential exposure of their credit cards.

"It took five days from the time the service went down to get the 'yes, we've been compromised' admission," says Justin McElroy, reviews editor at gaming blog Joystiq. "Not to put that information in the hands of users was a big misstep."

Sony defended the lag in a letter to Congress last week, saying it took forensic teams time to figure out the depths of the "very professional, highly sophisticated" attack.

Branding expert Karen Post says Sony was right to make sure it had accurate information before it started talking, in order to avoid making a confusing situation worse.

"Timing may have seemed slow, but brands have to prevent the need for retractions on their [statements] that reach so many people," Post says. "Technology moves so fast that people want answers now."

Can Sony recover? Sony's fate is now tied to what happens to the compromised credit card numbers.

If hackers did indeed capture financial information on all 77 million PlayStation Network members, it would be one of the biggest heists in history, says LowCards.com CEO Bill Hardekopf.

The record holder is a 2010 hack of payment processor Heartland Payment Systems, in which as many as 130 million accounts were stolen, Hardekopf says. Other big heists include the theft of data from 46 million accounts from TJ Maxx and Marshall's in 2007, and 40 million MasterCard (MA, Fortune 500) accounts in 2005.

If the credit cards were not stolen, Brian Crecente, the Kotaku editor, doesn't think Sony will suffer much long-term fallout.

"People say a lot of things in the heat of the moment, but it's rare that they actually boycott a brand," Crecente says. "There are things Sony could have done better, but they didn't do anything malicious."

In an unscientific poll that Kotaku posted last week, 49% of the 9,000 respondents said they liked the Sony brand less in light of the hack. But 46% said their opinion didn't change.

And the culprit is ... While Sony scrambles to fix its current problems and prevent any reoccurrence, the company is also trying to figure out who's behind the attack in the first place.

Sony seems to think it's the website-attacking group "Anonymous." In its letter to Congress last week, Sony said that it "discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named 'Anonymous' with the words 'We are Legion.'"

Anonymous is a decentralized group that originated on image-board site 4chan.org. It organizes swarms to try to crash the websites of those it deems enemies. In the past, the group has taken down several high-profile sites, including those of the Motion Picture Association of America and the Recording Industry Association of America.

A purported Anonymous news site, AnonNews.org, posted a statement on April 22 titled "For Once We Didn't Do It." But the poster did acknowledge that since Anonymous is a decentralized group, "it could be the case that other Anons have acted by themselves" -- though the group "does not take responsibility as a whole for whatever has happened."

Still, Sony had reason to be suspicious. Sony's letter to Congress last week pointed out that the company recently landed in Anonymous' crosshairs for suing two people who were distributing instructions on how to hack a PlayStation 3 game system -- and then going after the details on anyone who ever viewed the instructions.